On Thu, 25 Nov 2021 13:13:28 +0800
Zhenyu Wang <zhenyuw@xxxxxxxxxxxxxxx> wrote:
> This is to fix incorrect pointer arithmetic which caused wrong
> OpRegion version returned, then VM driver got error to get wanted
> VBT block. We need to be safe to return correct data, so force
> pointer type for byte access.
>
> Fixes: 49ba1a2976c8 ("vfio/pci: Add OpRegion 2.0+ Extended VBT support.")
> Cc: Colin Xu <colin.xu@xxxxxxxxx>
> Cc: Alex Williamson <alex.williamson@xxxxxxxxxx>
> Cc: Dmitry Torokhov <dtor@xxxxxxxxxxxx>
> Cc: "Xu, Terrence" <terrence.xu@xxxxxxxxx>
> Cc: "Gao, Fred" <fred.gao@xxxxxxxxx>
> Acked-by: Colin Xu <colin.xu@xxxxxxxxx>
> Signed-off-by: Zhenyu Wang <zhenyuw@xxxxxxxxxxxxxxx>
> ---
> drivers/vfio/pci/vfio_pci_igd.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/vfio/pci/vfio_pci_igd.c b/drivers/vfio/pci/vfio_pci_igd.c
> index 56cd551e0e04..dad6eeed5e80 100644
> --- a/drivers/vfio/pci/vfio_pci_igd.c
> +++ b/drivers/vfio/pci/vfio_pci_igd.c
> @@ -98,7 +98,7 @@ static ssize_t vfio_pci_igd_rw(struct vfio_pci_core_device *vdev,
> version = cpu_to_le16(0x0201);
>
> if (igd_opregion_shift_copy(buf, &off,
> - &version + (pos - OPREGION_VERSION),
> + (u8 *)&version + (pos - OPREGION_VERSION),
> &pos, &remaining, bytes))
> return -EFAULT;
> }
> @@ -121,7 +121,7 @@ static ssize_t vfio_pci_igd_rw(struct vfio_pci_core_device *vdev,
> OPREGION_SIZE : 0);
>
> if (igd_opregion_shift_copy(buf, &off,
> - &rvda + (pos - OPREGION_RVDA),
> + (u8 *)&rvda + (pos - OPREGION_RVDA),
> &pos, &remaining, bytes))
> return -EFAULT;
> }
Applied to vfio for-linus branch for v5.16. Thanks,
Alex
